three of those industries. gentlemen, i want to start with an opening question for each of you. what are some of the attacks that have happened on your industry and how are you preventing them? we begin with tom kuhn of the edison electric institute, which represents several electric companies in the united states. everyfar -- we get pings day from various sources, but so far the major attacks we have had have been on customer information systems or things of that nature. they have not been attacks that keep me up at night, which are the ones that would do some damage to our critical infrastructure. >> how do you work to prevent this? >> we have technology, cyber technologies, prevention technologies. we spend a lot of time now on technologies.

again, we have not had the kind of attack that would hurt our critical infrastructure to which the president referred. we are good on resiliency and redundancy and response and recovery programs like with hurricane sandy. >> peter president and ceo of the air traffic control association. your answer? >> there have been attacks. they are not well publicized because it is confidential information and obviously you do not want too many people to know how the air traffic control system works. it is difficult to explain air traffic control in a soundbite. it happened in alaska. what is being done now, we have very ancient infrastructure for control. it is been around since the late 1950s, early 1960s. it is a mix of different equipment. very insecure. right now we are in a modernization phase where we are modernizing, moving from a land- based system to a space-based,

satellite, gps, that type of thing. as we do that we need to look at how we are going to prevent cyber attacks, how we are going to keep people from getting into the system. basically right now it is education. letting people know what to look for. how to adapt five threats. what threats look like. what they might be. what to do when that happens. thereg garcia represents financial services industry. former homeland security assistant secretary for cybersecurity. when it comes to financial youitutions, how do prevent attacks? what attacks are happening? >> attacks are always evolving. for the financial services sector most recently we have seen so-called distributed denial of service attacks, a way of flooding a network with information requests that cause a slowdown or a stop in service. cyber criminals are after money

, as was willie sutton in the days of robbing banks. they are after intellectual property. lots of information. the attacks and threats are constantly evolving. the banks are very well prepared for that. they invest hundreds of millions of dollars in preventative measures, in various high-tech staff who have great expertise in this area. i am representing the financial services information sharing and analysis enter which is a grouping of banks and financial institutions that gather together their collective intelligence, share information about threats and vulnerabilities and collectively respond. it is all based on the notion that forewarned is forearmed. none of us are as smart as all of us combined.

really, the best method of havinging to attacks is advanced intelligence, sharing information, working collaboratively. >> are there any restrictions on the sharing of information between banks? >> banks have to be careful about who they share with. they are trusted environments within other industry groupings. certainly companies do not want to share competitive information that would lead to antitrust issues. there are some restrictions bidirectionally between the government, which has classified information, and financial institutions. there has to be a trust relationship improved their. there are some areas where the government simply cannot share information with the banks and the financial sector may not share certain information with the government if it runs afoul of privacy concerns or civil liberties or proprietary

financial information, etc. , has there been an attack on the air traffic control system that has stopped traffic? >> no. but that is something we have to worry about. there are different levels and there would be different reasons for attacks. what is the reason? is the reason to bring down an aircraft, which could be a terrorist type thing come a which as we were discussing in the other room is horrific and a big catastrophe and gets a lot of attention. more importantly, if we cripple the air traffic control system, if the air traffic control system -- it contributes $1.3 trillion to the economy. if you shut that down you are crippling the economy. 137,000 operations a day. if we shut that down that will be an economic catastrophe.

> our guest reporter -- >> thank you. you just spoke to the nature of the air traffic control system being quite a bit antiquated. that brings up to questions. does the fact it sort of is pre- digital reduce the risk of a catastrophic attack like rerouting a plane, and as you transition to a next-generation and will that increase the risk posed by the cyber threat? >> that is an interesting question. the older systems, you are right, they are less digitized. so the types of threats are different. as you know. as we modernize the system we are increasing the ability to enter into the system. weree old days, before we worried about cybersecurity the faa was concerned -- considered the air traffic system a closed system. it was pretty much that way.

now, as we expand the system we have more people introducing things into the system and we modernize the system. as we go to space-based, aircraft are going to become a note in an information system to do collaborative air traffic control. controllers are working with pilots and aircraft. the aircraft have a bigger picture of what is going on. as we introduce those into the closed loop, the information management system on the aircraft, that could be a way to get into the system and could compromise the system. as we open the back of the airplane up to more people using the internet then that is a possible entry into the system through the flight management system. justtleman from germany hewed an android app, how can take over an aircraft going through the automatic broadcast system, which is satellite-based

air traffic control, and the flight management system. basic commands -- go here, that reroutes the aircraft. go down, that crashes the aircraft. and then they have something called -- they confuse the pilot, lights go off, things go off, the pilot does not understand. , whoig problem is recognizes this is going on? as we digitize we have more entry points into the system. >> so how do you handle that sort of threat where you could control a plane from a smartphone? is this something you are baking into the system? the fleets tend to vary greatly in terms of age and technology. does that impact how they are secured? >> absolutely. were less aircraft phone or they did not have the systems.

network-enabled operations with aircraft part of the network, different fleet aircraft have different capabilities but they are all getting to a certain capability that would allow them to operate in the new system. mention thea, you financial services industry shares a lot of information. you also discussed some barriers. are any of the barriers preventative to effective threat deterrence? is there anything that could be addressed by legislation or administrative action? >> the banking sector generally supported the legislation, the cyber information sharing protection act. -- enablesed companies to share more information with the government protected from freedom of information act requests or

other public disclosure. that may be the most inhibiting deterrent to information sharing, the prospect that through -- information can be leaked to the general public and in effect putting the target on your four head for the adversaries who now are better informed about your vulnerabilities to attacks. where we are trying to push, in addition to information sharing human to human, the financial services sector coordinating council, sort of the umbrella organization they are a member of, we have to be a r&d committee where we specify 10 major areas where we see a need for research to fill the gap in arcade villages. -- in our capabilities. one of them is real-time information sharing, machine to machine, that enables us to look

at vast quantities of data, aggregated, correlated, and enable us to make decisions, predictive decisions about threats and incoming attacks. in a real-time way that human to human sharing, as useful as that is in trust-based relationships, that human sharing cannot do. so we are also driving a fairly aggressive r&d agenda working with government and treasury departments and other federal agencies, the academic community, to improve our collective knowledge. >> how dependent is the electric industry on network computers and other things that may be vulnerable to cyber attacks? >> we are very dependent, obviously. every other industry is dependent on the electric system, so banks or air traffic controllers or whatever all depend on electricity. so we are putting a tremendous

focus on what we need to do on cybersecurity. we are the only industry right now with mandatory standards. five years ago we set up a system with our self-regulating organization that was set up to respond to the blackouts. with thet of standards energy regulatory commission that have been updated five times now. we have standards. but we all agree they are a minimum. they do not do the job. what you need to do to go beyond that is information sharing. you need the information the government has. they have a army of intelligence people out there that we need to partner with. we also have information sharing group that is being expanded right now with ceo's and cio's and others to work with the department of homeland security and the department of energy to make sure that we get real-time

information, actionable intelligence that we need, that we have the best technologies in the system with respect to prevention technologies, and also the text and technologies. detection technologies are key move forwardually to address threats that may come from terrorist groups or from national groups overseas that want to harm us. we are not worried as much about a denial of service, which is what the banks are experiencing or the exultation of data people might use for corporate espionage. , peopleriminal attacks want to attack the banks to try and get some money. we are more worried about the physical damage done to the electric system that would disable the economy and every

part of the economy that depends on electricity. >> either deficiencies in the information sharing ability? >> we are working to improve information sharing abilities. there is information sharing going on right now through the government to the industry to federal regulators. its own capabilities -- it needs to be improved. it needs to focus i exactly what kind of intelligence we need, actionable intelligence. this is why we have a very high group working with ceo's and cio's working with secretaries of homeland security and the national security agency to make sure we improve those information sharing mechanisms are you >> information sharing is a very important point. the electric sector, like

services, these are the so- called millisecond sectors. services are being delivered in milliseconds. severalvely we and other major industry sectors constitute the critical infrastructure of the united states. well information -- while information sharing assuming we know is critical, there are standards of practice necessary, and the financial sector is supportive and participating in the president's executive order that was announced in early february to set up a cybersecurity framework collaboratively with industry and the critical infrastructure sectors. the financial services sector is heavily regulated among different lines for standards of practice. but those are minimum standards.

we recognize every day we can be doing better. we need to continually look for the best technology, the best practices, and the best people. use this process to collectively raise the bar across all critical infrastructure, because it is , they, it is uneven financial services, electric sector, other sectors are fairly advanced and how we are attacking the cybersecurity problem. other sectors, not so much. it is a cliché but we are only as strong as the weakest link. if we can find ways to get everybody to get a stronger, higher level of security that is standards-based but resilient, that is not stagnant , that can evolve with technological innovation, that is what we are looking for. >> i think we can all agree

information sharing is absolutely essential to get the best practices and find out the lessons learned and things that work in things that did not fall up but don't you agree there are barriers to information sharing? how classified are you, how much can you know, how much do you want to share about what cyber security measures are and how are protecting your system? vulnerable it becomes -- i think there are some barriers we need to get over in our information sharing. is a much there greater partnership with the government than there used to be and a much greater attention at the ceo level of how important it is. not know whodid their chief security or chief information officers are. now they are fully connected to them. there is high-level

participation to make sure we can break through the barriers of information sharing and have clearances occur much quicker. we have had a couple secret briefings with ceo's, with the national security agency and homeland security. people understand what the threats are. both individual, terrorist, national, etc.. a new urgency going on in this whole issue. every industry needs to be proactive because we are all interdependent, as greg indicates. >> you spoke to the fact that the energy industry has standards but are largely minimum is. can you tell us what impact that has across the sector? have they helped compel better security practices? >> i do not mean to imply that these standards are minimum. that we are not trying to do good standards. i mean they are the minimum

people are required to do and then we go beyond that. you need to go beyond that. beyond our standards we have set up threat scenario projects, with a former secretary of homeland security. we go through those threats. task forces on each of the key elements we think are important. tools and technologies -- what are the best technologies we can use for prevention and detection? oftainly on the issue information sharing, what are the things we need to do to really improve information sharing between government and industry? that is the focus of our discussions with the various agencies. thirdly, very important for us is response and recovery. we build a lot of redundancy and

resiliency in the system. with hurricane sandy we brought crews to help you the system back on. but ciber is different. we are working diligently on a response and recovery plan. a problem we can come back quickly. , if theuestion is obama administration and many senate democrats have maintained that the implementation of standards for critical infrastructure sectors would compel better behavior, have you seen that in the electric industry with the establishment of these standards for singh -- forcing companies to take it more seriously? >> sure. if there are standards, people in the companies responsible, there are federal regulators you have to go to to be accountable for the standards. so there is that attention that is there. still haveted, you

to go way beyond the standards in order to -- >> beyond the standards, one of the biggest threats to the security infrastructure is the human element, the insider threat. the errors of commission or omission. employee training is one of the most important things. you can have the best standards, the best technology, the best procedures, but if your people are not trained, your customers are not trained -- the financial industry sees its customers as part of the broader ecosystem. not only are we trying to protect them but we are trying to educate our customers on how they can protect themselves. that is really a key part of it. yes, there are insiders were malicious but a lot of cyber attacks can be prevented if only your employees have as a matter of habit the knowledge that you do not click on that e- mail that you do not recognize, that you do not open the

attachment you do not recognize. if it looks suspicious pass it on to your security team. some of the most elemental ways of preventing cyber attacks. it is one of the biggest hurdles we have to get over. >> the defense department acting withve been respect to thumb drives team brought in. >> even people who should know best are still getting into misbehavior. >> peter dumont, first of all, who are you representing? who is paying for any cybersecurity that your organization has? >> my organization does not have cybersecurity. wet we do, three years ago recognize there was a need to start discussing and educating about cybersecurity and air control. likembers are individuals

air traffic controllers, companies like lockheed martin. >> the airlines? >> yes, some airlines. just about every part of aviation is a member of my organization. we recognize three years ago that we need to start educating and what we did is we started putting aside a cybersecurity day in place. we got members from all the different parts of the industry together and did tabletop scenarios and operational scenarios because that is really the problem. we have operators other than need to be educated, air traffic controllers. we do not have the same issue we have that somebody might open an e-mail because the e-mail system is a different system than the air traffic control system, obviously. but if we cannot recognize that a threat is happening then we cannot react. we are trying to educate on a operational level first of all what a threat looks like, how to deal with a threat, and then a managerial level.

what do we do throughout the system once or recognize a threat? we shut it down? do we have the capability of isolating it? how many systems are effective? so what my organization is doing now, we have another one in june, in other cybersecurity day where we talk about lessons learned from the first two, talking about the president's executive order, talking about do toay be the faa can better beefed-up management of cybersecurity. >> said you work with an essay or dhs? >> we do not. what we advocate and what we think is the right solution is the faa, the government agency, they need to work with those bodies and learn with the best practices are and understand exactly what is being done in the different industries to deal with different threats. that is how we are going to

develop our own best practice. , you mentioned the banking industry is largely ahead of the curve when it comes to these things likely due to the nature of the business itself and as you said that criminals are most often looking for money. how would you say the broader employees of the industry -- how aware are they? how successful has education been, and are the keys to your industry advancing that could be applied to other critical sectors? >> by and large employees within the financial institutions are fairly well aware of what is going on, and given that over the last year increasing news about attacks on the financial system, the awareness has only grown. --a part of every banks bank's standard procedures,

employees are tested. they are trained twice a year and then tested on a random sampling of 10,000 employees. they will get a so-called phishing e-mail from the chief information security officer and it will try to dupe them into opening it up. the e-mail looks just about perfect but there is one little thing wrong with that, just enough to throw off a vigilant actuallyand if they open the e-mail and open the attachment they get a message from the chief information security officer saying you need to go back to training. if they forward the bad e-mail on to the security office saying this is a suspect e-mail than they get a love note. , and that kind of ongoing it has to be ongoing, because we forget.

we are dealing with hundreds of thousands of e-mails a day and documents and phone calls and you are moving. it has to be continually ingrained in your standard procedure, in your way of thinking. it has to become habit. >> we only have three minutes. let's go around the horn. what kind of legislation would you like to see congress pass? >> i think, i talked about cis pa earlier. if we can get rid of the barriers, as peter mentioned, that hamper information sharing between the government and the industry in providing liability protection to companies who do voluntarily disclose information, i think that would go a long way. the government needs to continue to invest and -- in research and development. basic research, the kind of research companies do on the development side, government needs to do basic research to deal with some of these big problems that are coming as a result of the positive effects

of innovation, but there are negative effects as well. and make sure we clarify who is cyber security policy across all the various industry sectors. >> i would agree with everything you just said. that would also add minimum standards are very important. ensuring we have the right minimum standards in place. ensuring government agencies are , focusing onted education as well as mitigating risk. the controversial part of legislation out there is mandatory regulations, and again we have already got them so we are not really concerned about that aspect. information sharing is very important. r&d is very important. liability protection is another important provision to make sure companies feel free to share

information and not worry about lawsuits and things of that nature. i think the important thing is the executive order has been helpful in my opinion, but do not wait for the legislation. sometimes it takes congress a long time to do things and we all need to move forward. tom kuhn represents electric companies, peter dumont is president and ceo of the air traffic control association, and greg garcia is advisor to the financial services information sharing and analysis center. gentlemen, thank you for being here. >> thank you. >> c-span, created by america's cable companies in 1979. brought to you as a public service by your public television provider.

tonight, first ladies, influence and image. a look at jane pierce and harriet lane. followed by president obama, vice president biden, and former congresswoman gabrielle giffords. -- paying tribute to her congressional aide, gabe zimmerman. later, al sharpton's action network annual convention. >> probably the most tragic of all our first ladies. she hated the office. hated it with a passion. ,> they took to the white house they had eight rooms they had to furnish. >> but she spent much of her time writing letters. to her dead son. in her